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SUBJECT:  Audit  Report  on  DoD  Interim  Federal  Acquisition  Computer  Network 
Certifications  (Report  No.  97-030) 


We  are  providing  this  audit  report  for  your  review  and  comment.  Management 
comments  on  a  draft  were  considered  in  preparing  final  report. 

Management  is  requested  to  provide  comments  on  this  report  that  conform  to 
the  requirements  of  DoD  Directive  7650.3.  In  response  to  comments  on  the  draft  of 
this  report  by  the  Defense  Information  Systems  Agency,  we  revised  the 
recommendations  and  redirected  them  to  the  Deputy  Under  Secretary  of  Defense 
(Acquisition  Reform).  We  request  that  the  Deputy  Under  Secretary  of  Defense 
(Acquisition  Reform)  provide  comments  on  the  finding  and  recommendations  by 
January  24,  1997. 

We  appreciate  the  courtesies  extended  to  the  audit  staff.  Questions  on  the  audit 
should  be  directed  to  Ms.  Kimberley  A.  Caprio,  Audit  Program  Director,  at 
(703)  604-9210  (DSN  664-9210)  (electronic  mail  KCaprio@DODIG.OSD.MIL)  or 
Mr.  Kent  E.  Shaw,  Audit  Project  Manager,  at  (703)  604-9228  (DSN  664-9228) 
(electronic  mail  KShaw@DODIG.OSD.MIL).  See  Appendix  D  for  the  report 
distribution.  The  audit  team  members  are  listed  inside  the  back  cover. 


Robert  J.  Lieberman 
Assistant  Inspector  General 
for  Auditing 


Office  of  the  Inspector  General,  DoD 


Report  No.  97-030  November  25,  1996 

(Project  No.  6CA-0013) 

DoD  Interim  Federal  Acquisition 
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Executive  Summary 


Introduction.  Presidential  memorandum  "Streamlining  Procurement  Through 
Electronic  Commerce,"  October  26,  1993,  promotes  the  simplification  and  streamlining 
of  the  procurement  process  for  small  purchases  by  enabling  the  electronic  exchange  of 
procurement  information  between  the  private  sector  and  the  Government. 

Congress  fully  endorsed  the  electronic  commerce  initiative  when  it  passed  the  Federal 
Acquisition  Streamlining  Act  of  1994.  The  Streamlining  Act  requires  that  a  full-scale 
electronic  commerce  system  be  implemented  by  January  2000.  Specifically,  the  Act 
establishes  the  Federal  Acquisition  Computer  Network  (FACNET)  and  provides 
simplified  acquisition  procedures  for  procurements  below  the  simplified  acquisition 
threshold  of  $100,000  for  contracting  offices  that  are  interim  FACNET  certified  and 
$50,000  for  all  other  contracting  offices. 

The  Defense  Information  Systems  Agency  (DISA)  is  responsible  for  verifying  the 
interim  FACNET  capabilities  of  each  contracting  office.  DISA  certifies  those 
contracting  offices  that  have  met  all  the  technical  requirements  for  interim  FACNET 
certification. 

The  Director,  DoD  Electronic  Commerce,  Office  of  the  Under  Secretary  of  Defense 
for  Acquisition  and  Technology,  certifies  that  contracting  offices  are  interim  FACNET 
capable  based  on  the  DISA  technical  certification.  As  of  November  5,  1996,  300  of 
nearly  4,000  contracting  offices  have  been  certified. 

Audit  Objectives.  The  primary  audit  objective  was  to  determine  whether  the  process 
that  DoD  uses  to  issue  interim  FACNET  certifications  is  adequate.  The  specific 
objectives  were  to  determine  whether  the  interim  certifications  are  supported  with 
required  documentation  and  whether  organizations  that  have  received  interim 
certification  have  the  required  software  and  are  capable  of  performing  the  FACNET 
transactions.  We  also  examined  the  management  control  program  as  it  applied  to  the 
audit  objectives. 

Audit  Results.  Of  13  contracting  offices  reviewed  that  were  interim  FACNET 
certified,  5  were  not  capable  of  meeting  prescribed  requirements  for  interim  FACNET 
certification.  As  a  result,  the  contracting  offices  were  not  capable  of  sending  and 
receiving  FACNET  transactions,  and  contracting  offices  and  their  trading  partners  may 
be  affected  by  potential  loss  of  business.  Additionally,  because  not  all  of  the 
contracting  offices  were  able  to  perform  the  tasks  required  for  interim  FACNET 
certifications,  the  success  of  the  FACNET  program  may  be  overstated.  Audit  results 
are  discussed  in  Part  I. 
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Management  controls  over  interim  FACNET  certification  needed  improvement.  See 
Appendix  A  for  details  on  our  review  of  the  management  control  program. 
Recommendation  in  this  report,  if  implemented,  will  bring  about  improvements  in 
interim  FACNET  certification  and  will  ensure  that  contracting  offices  are  capable  of 
sending  and  receiving  FACNET  transactions. 

Summary  of  Recommendations.  We  recommend  that  the  Deputy  Under  Secretary  of 
Defense  (Acquisition  Reform),  revise  the  process  for  interim  FACNET  certification  to 
require  that  DISA,  working  in  conjunction  with  the  Military  Departments  and  Defense 
agencies,  conduct  technical  compliance  testing  at  each  contracting  office  seeking 
certification  and  require  that  DISA,  again  working  in  conjunction  with  the  Military 
Departments  and  Defense  agencies,  conduct  technical  compliance  testing  again  at  the 
contracting  offices  previously  certified,  and  recertify  those  offices  as  appropriate. 

Management  Comments.  DISA  partially  concurred  with  the  recommendations  in  the 
draft  report  to  conduct  compliance  testing  at  each  contracting  office  to  verify  interim 
FACNET  certification  and  to  conduct  testing  again  at  contracting  offices  that  had  been 
previously  certified.  DISA  fully  agreed  that  some  type  of  testing  is  required  before  an 
Automated  Information  System  is  declared  operational.  However,  DISA  stated  that  it 
does  not  have  the  authority  to  test  contracting  offices  because  DISA  does  not  have 
operational  control  over  those  contracting  offices.  See  Part  I  for  a  summary  of 
management  comments  and  Part  III  for  the  complete  text  of  management  comments. 

Audit  Response.  As  a  result  of  DISA  comments,  we  reassessed  the  feasibility  of 
DISA  performing  the  entire  certification/recertification  effort.  We  revised  our 
recommendations  and  redirected  them  to  the  Deputy  Under  Secretary  of  Defense 
(Acquisition  Reform),  who  is  designated  as  the  certifying  official  for  implementation  of 
interim  FACNET  certification  for  the  DoD.  We  request  that  Deputy  Under  Secretary 
of  Defense  (Acquisition  Reform)  provide  comments  on  the  recommendations  by 
January  24,  1997. 
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Part  I  -  Audit  Results 


Audit  Results 


Audit  Background 


This  audit  was  a  result  of  work  performed  on  Inspector  General,  DoD,  Project 
No.  5CA-3002,  "Audit  of  DoD  Implementation  of  Electronic  Commerce  in 
Contracting  for  Small  Purchases,"  which  identified  a  contracting  office  that  was 
interim  Federal  Acquisition  Computer  Network  (FACNET)  certified,  but  was 
incapable  of  completing  FACNET  transactions. 

Presidential  memorandum  "Streamlining  Procurement  Through  Electronic 
Commerce,"  October  26,  1993,  promotes  the  simplification  and  streamlining  of 
the  procurement  process  for  small  purchases  by  enabling  the  electronic  exchange 
of  procurement  information  between  the  private  sector  and  the  entire 
Government.  Further,  the  memorandum  advocates  greater  access  to  Federal 
procurement  opportunities,  simplified  access  for  potential  suppliers,  and  use  of 
nationally  accepted  data  formats. 

Subsequently,  Congress  passed  the  Federal  Acquisition  Streamlining  Act  of 
1994  (the  Streamlining  Act).  The  Streamlining  Act,  October  13,  1994,  requires 
that  a  full-scale  electronic  commerce  system  be  implemented  by  January  2000. 
The  Streamlining  Act  also  establishes  FACNET  and  provides  simplified 
acquisition  procedures  for  procurements  below  the  simplified  acquisition 
thresholds.  Until  full  FACNET  certification  is  possible,  contracting  offices  will 
employ  interim  FACNET  certification.  A  contracting  office  must  be  interim 
FACNET  certified  to  use  the  simplified  acquisition  threshold  of  $100,000.  The 
Streamlining  Act  established  simplified  acquisition  thresholds  of  $100,000  for 
interim  FACNET  certified  contracting  offices  and  $50,000  for  all  other 
contracting  offices.  Simplified  acquisition  procedures  exempt  the  contractor 
from  many  of  the  Federal  Acquisition  Regulation  requirements  associated  with 
procurements  above  the  threshold.  To  obtain  interim  FACNET  certification, 
the  contracting  office  must  be  able  to  use  FACNET  to  provide  widespread 
public  notice  of  solicitations  and  to  receive  responses  to  solicitations. 

The  Streamlining  Act  requires  that  the  Under  Secretary  of  Defense  for 
Acquisition  and  Technology  certify  to  the  Office  of  Federal  Procurement  Policy 
that  the  contracting  office  has  implemented  interim  FACNET  requirements. 
During  February  1995,  the  certifying  authority  was  delegated  through  the 
Deputy  Under  Secretary  of  Defense  (Acquisition  Reform)  to  the  Director,  DoD 
Electronic  Commerce  (EC).  As  of  September  1995,  the  Director,  DoD  EC, 
had  certified  157  of  the  3,983  DoD  contracting  offices.  As  of  November  5, 
1996,  300  contracting  offices  have  been  certified. 

The  Federal  Acquisition  Reform  Act,  February  10,  1996,  amended  the 
Streamlining  Act  by  eliminating  the  $50,000  limit  on  use  of  simplified 
acquisition  procedures  until  a  contracting  office  receives  interim  FACNET 
certification.  Now,  a  contracting  office  may  use  simplified  acquisition 
procedures  for  procurements  up  to  $100,000  without  interim  FACNET 
certification.  However,  the  threshold  will  revert  back  to  $50,000  after 
December  31,  1999,  if  a  contracting  office  does  not  have  full  FACNET 
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Audit  Results 


certification.  Full  FACNET  certification,  in  addition  to  interim  FACNET 
certification,  requires  the  contracting  office  to  use  FACNET  to  do  the 
following: 

o  receive  questions  regarding  solicitations, 
o  issue  contracts  and  orders, 
o  initiate  payments  to  the  contractor,  and 
o  archive  procurement  data. 


Audit  Objectives 


The  primary  audit  objective  was  to  determine  whether  the  process  that  DoD 
uses  to  issue  interim  FACNET  certifications  is  adequate.  Specific  objectives 
were  to  determine  whether  the  interim  certifications  are  supported  with  required 
documentation  and  whether  organizations  that  have  received  interim  certification 
have  the  required  software  and  are  capable  of  transmitting  and  receiving  the 
required  FACNET  transactions.  We  also  examined  the  management  control 
program  as  it  applied  to  the  audit  objectives.  See  Appendix  A  for  a  discussion 
of  die  scope,  methodology,  and  management  control  program.  Appendix  B 
summarizes  prior  coverage  related  to  the  audit  objectives. 
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Interim  Federal  Acquisition  Computer 
Network  Capabilities 

Of  13  contracting  offices  reviewed,  5  were  interim  FACNET  certified, 
but  did  not  satisfy  the  requirements  for  certification.  The  offices  were 
incorrectly  certified  because  the  Defense  Information  Systems  Agency 
(DISA)  Electronic  Commerce/Electronic  Data  Interchange  (EC/EDI) 
Program  Management  Office  conducted  the  technical  certification  testing 
at  the  automated  information  system  level  and  not  at  each  contracting 
office.  The  certification  testing  at  the  automated  information  system 
level  rather  than  at  each  of  the  contracting  offices  was  inappropriate 
because  such  testing  did  not  detect  existing  technical  problems  at  the 
contracting  office  that  precluded  the  office  from  effectively  using 
FACNET.  As  a  result,  5  of  13  contracting  offices  reviewed  were  not 
capable  of  sending  and  receiving  FACNET  transactions,  and  contracting 
offices  and  their  trading  partners  may  be  affected  by  potential  loss  of 
business.  Additionally,  because  not  all  of  the  contracting  offices  were 
able  to  perform  the  tasks  required  for  interim  FACNET  certifications, 
the  success  of  the  FACNET  program  may  be  overstated. 


Interim  FACNET  Capability 


Of  the  13  interim  FACNET  certified  contracting  offices,  5  offices  were  not 
capable  of  performing  requirements  for  interim  FACNET  certification  using 
FACNET  to  provide  widespread  public  notice  of  solicitations  and  to  receive 
responses  to  solicitations  in  accordance  with  the  Streamlining  Act.  Specifically, 

o  Fleet  Industrial  Supply  Center,  San  Diego,  California,  claimed  that  it 
was  capable  of  transmitting  widespread  public  solicitations  as  required. 
However,  due  to  the  Navy  moratorium  and  concerns  over  the  reliability  of  the 
FACNET  architecture,  it  has  not  pursued  public  transactions.  Instead,  it  only 
transmitted  direct  solicitations  for  contract  opportunities.  In  addition,  the  Fleet 
Industrial  Supply  Center  did  not  receive  responses  to  solicitations  through 
FACNET,  but  received  them  by  telephone  or  U.S.  mail. 

o  Naval  Undersea  Warfare  Center,  Keyport,  Washington,  did  not  have 
the  capabilities  to  either  transmit  widespread  public  solicitations  or  receive 
responses  to  solicitations  because  it  could  not  access  trading  partners.  However, 
it  is  upgrading  its  FACNET  software  and  hardware. 
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Interim  Federal  Acquisition  Computer  Network  Capabilities 


o  Bolling  Air  Force  Base,  Washington,  D.C.,  did  not  have  capabilities 
to  either  transmit  widespread  public  solicitations  or  receive  responses  to 
solicitations  because  its  software  could  not  access  FACNET. 

o  Charleston  Air  Force  Base,  South  Carolina,  did  not  even  have  software 
or  hardware  to  transmit  FACNET  transactions. 

o  Defense  Commissary  Agency,  Fort  Lee,  Virginia,  claimed  that  it  was 
interim  FACNET  capable.  However,  Defense  Commissary  Agency  officials 
decided  not  to  transmit  transactions  through  FACNET  because  management 
questioned  the  reliability  of  FACNET. 

Table  1  shows  that  5  of  13  the  contracting  offices  reviewed  did  not  have  interim 
FACNET  capabilities. 
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Table  1.  Extent  of  Interim  FACNET  Capabilities  of  13  Interim 
FACNET  Certified  Contracting  Offices  Reviewed 


Able  to 

Able  to 

Date  Interim 

Provide 

Receive 

FACNET 

Contracting 

Widespread 

Responses  to 

Certification 

Office  Reviewed 

Solicitations 

Solicitations 

Granted 

Fort  Belvoir 

Yes 

Yes 

July  5,  1995 

Fort  Lewis 

Yes 

Yes 

July  5,  1995 

Fort  Sam  Houston 

Yes 

Yes 

September  29,  1995 

Madigan  Army  Medical 

Yes 

Yes 

July  5,  1995 

Center 

Fleet  Industrial  Supply 

No 

No 

September  29,  1995 

Center,  San  Diego 

Naval  Surface  Warfare 

Yes 

Yes 

July  5,  1995 

Center,  Port  Hueneme 

Naval  Undersea  Warfare 

No 

No 

September  29,  1995 

Center,  Keyport 

Andrews  Air  Force  Base 

Yes 

Yes 

September  29,  1995 

Bolling  Air  Force  Base 

No 

No 

July  5,  1995 

Brooks  Air  Force  Base 

Yes 

Yes 

July  5,  1995 

Charleston  Air  Force 

No 

No 

July  5,  1995 

Base 

San  Antonio  Air 

Yes 

Yes 

July  5,  1995 

Logistics  Center 

Defense  Commissary 

No 

No 

July  5,  1995 

Agency,  Fort  Lee 

Technical  Certification  of  Interim  FACNET  Capability 


The  interim  FACNET  certified  contracting  offices  were  inappropriately  certified 
because  the  DISA  EC/EDI  Program  Management  Office  had  issued  technical 
certification  of  contracting  offices  based  on  performance  of  the  technical 
compliance  testing  at  the  automated  information  system  (AIS)  level  and  not  at 
each  contracting  office. 

The  technical  compliance  testing  is  a  testing  procedure  that  verifies  the  AIS 
ability  to  send  and  receive  EDI  transactions  between  the  AIS  and  the  DISA 
testing  facility  using  the  FACNET  infrastructure. 
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Interim  Federal  Acquisition  Computer  Network  Capabilities 


An  AIS  is  an  assembly  of  computer  hardware  and  software  to  create,  process, 
and  store  procurement  data.  DoD  has  10  AISs  linked  to  FACNET.  The  AIS 
performs  DoD  business  functions  necessary  for  accomplishing  electronic 
commerce  through  FACNET.  The  primary  services  that  an  AIS  provides  are 
interface  with  the  contracting  offices  and  electronic  generation  of  all  forms  and 
data  bases  necessary  to  conduct  FACNET  transactions. 

The  DISA  EC/EDI  Program  Management  Office  compliance  test  facility  at 
Columbus,  Ohio,  performs  technical  certification  for  interim  FACNET 
compliance.  According  to  the  DISA  EDI  compliance  test  facility  test  plan,  the 
test  facility  validates  that  contracting  offices’  EC/EDI  transactions  are  in 
compliance  with  approved  national  standards.  The  test  facility  also  requires  the 
contracting  office  to  successfully  complete  three  transmissions  of  EC/EDI 
transactions  with  100-percent  accuracy. 

However,  DISA  issues  technical  certification  of  contracting  offices  based  on 
performance  of  the  technical  compliance  testing  at  the  AIS  linked  to  the 
contracting  offices.  DISA  bases  this  testing  in  accordance  with  the  Deputy 
Under  Secretary  of  Defense  (Acquisition  Reform)  memorandum  "Certification 
Process  for  Interim  FACNET  Compliance,"  June  23,  1995.  Table  2  lists  the  10 
AISs  that  have  been  approved  for  interim  FACNET  certification. 
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Table  2.  Automated  Information  Systems  Linked  to  FACNET 

Component 

Automated  Information  System  Date  System  Approved 

Army 
and  DoD 

Standard  Army  Automated  Contracting 
Systems 

January  17,  1995 

Navy 

Automation  of  Procurement  and 
Accounting  Data  Entry 

January  27,  1995 

Emery 

March  31,  1995 

Federal  Express 

March  31,  1995 

Integrated  Logistics  Support 

Management  Information  System 

January  27,  1995 

Integrated  Technical  Item 

Management  Procurement 

October  18,  1994 

Prism 

June  13,  1995 

Standard  Automated  Contracting  Systems 

January  17,  1995 

Air  Force 

Menu  Assisted  Data  Entry  System  I 

July  14,  1995 

Menu  Assisted  Data  Entry  System  II 

July  23,  1995 

A  contracting  office  receives  technical  certification  from  DISA  when  the  AIS 
linked  to  the  contracting  office  has  successfully  completed  technical  compliance 
testing  using  the  FACNET  infrastructure.  DISA  then  provides  the  Director, 
DoD  EC,  a  list  of  contracting  offices  that  are  linked  to  the  AIS  that  has 
successfully  achieved  DISA  technical  certification.  Consequently,  the  Director, 
DoD  EC,  certifies  the  contracting  offices  linked  to  that  AIS  as  interim 
FACNET  certified. 

All  of  the  157  interim  FACNET  certified  contracting  offices  obtained  then- 
approvals  because  they  used  or  planned  to  use  one  of  the  10  approved  AISs. 
However,  DISA  tested  the  AISs,  not  each  contracting  office,  to  validate  interim 
FACNET  capabilities  of  various  contracting  offices  linked  to  the  AISs. 

The  five  contracting  offices  reviewed  that  were  not  capable  of  sending  and 
receiving  FACNET  transactions  were  certified  because  the  AISs  that  they  were 
linked  to  were  successfully  tested.  To  ensure  that  not  only  the  AISs  but  each 
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contracting  office  is  interim  FACNET  capable,  DISA  needs  to  perform  testing 
at  each  contracting  office  in  accordance  with  the  DISA  EDI  compliance  test 
facility  test  plan.  Because  testing  was  limited  to  AISs,  reliability  of  FACNET 
was  weakened,  and  contracting  offices  and  their  trading  partners  may  be 
affected  by  potential  loss  of  business  when  contracting  offices  and  trading 
partners  are  unable  to  transmit  FACNET  transactions  to  each  other. 
Additionally,  because  not  all  the  contracting  offices  were  able  to  perform  the 
tasks  required  for  interim  FACNET  certifications,  the  success  of  the  FACNET 
program  may  be  overstated. 

To  eliminate  problems  and  to  ensure  that  all  contracting  offices  are  interim 
FACNET  capable,  the  DISA  EC/EDI  Program  Management  Office  should 
direct  the  Military  Departments  or  Defense  agencies  to  ensure  that  each 
contracting  office  can  transmit  transactions  to  their  Automated  Information 
Systems. 


Recommendations,  Management  Comments,  and  Audit 
Response 

Revised  and  Redirected  Recommendations.  As  a  result  of  management 
comments,  we  redirected  the  recommendations  to  the  Deputy  Under  Secretary 
of  Defense  (Acquisition  Reform).  We  redirected  the  recommendations  because 
DISA  stated  that  it  lacked  the  authority  to  perform  testing  at  the  contracting 
office  level  because  those  contracting  offices  are  not  under  DISA  operational 
control.  Further,  DISA  stated  that  a  Deputy  Under  Secretary  (Acquisition 
Reform)  memorandum,  "Certification  Process  for  Interim  FACNET 
Compliance,"  June  23,  1995,  stated  that  testing  was  only  required  at  the  AIS 
level.  We  also  revised  the  recommendations  to  include  DISA  coordinating  the 
compliance  testing  with  the  applicable  Military  Departments  and  Defense 
agencies.  Because  DISA  is  the  technical  expert  on  EC/EDI  issues,  we  believe 
that  certifications  should  include  both  the  DISA  as  well  as  the  Military 
Departments  and  Defense  agencies. 

We  recommend  that  the  Deputy  Under  Secretary  of  Defense  (Acquisition 
Reform): 

1.  Revise  the  process  for  interim  FACNET  certification  to  require 
that  DISA,  working  in  conjunction  with  the  responsible  Military 
Departments  and  Defense  agencies,  conduct  technical  compliance  testing  at 
each  contracting  office  to  ensure  that  each  contracting  office  can  transmit 
transactions  required  for  interim  FACNET  certification  before  providing 
technical  certification  as  required  by  the  Federal  Acquisition  Streamlining 
Act  of  1994. 
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2.  Require  that  DISA,  working  in  conjunction  with  the  responsible 
Military  Departments  and  Defense  agencies,  conduct  technical  compliance 
testing  again  at  the  contracting  offices  previously  certified,  and  recertify 
the  contracting  offices  as  appropriate. 

DISA  Comments  on  the  Draft  Report:  DISA  partially  concurred  with  the 
draft  report  recommendations  to  conduct  compliance  testing  at  each  contracting 
office  to  verify  that  each  contracting  office  can  transmit  transactions  required 
for  interim  FACNET  certification  and  to  conduct  technical  compliance  testing 
again  at  contracting  offices  that  had  been  previously  certified.  DISA  fully 
agreed  that  some  type  of  testing  is  required  before  an  AIS  is  declared 
operational.  However,  DISA  stated  that  the  individual  Military  Department  or 
Defense  agency  is  responsible  for  ensuring  that  its  AIS  is  compliant  with  DoD 
and  Govemmentwide  standards.  Further,  DISA  stated  that  because  those 
organizations  are  not  under  DISA  operational  control,  the  only  way  that  DISA 
could  ensure  compliance  with  established  standards  is  to  test  at  the  AIS  level. 
DISA  however,  stated  that  we  should  redirect  the  recommendations  to  the 
Deputy  Under  Secretary  of  Defense  (Acquisition  Reform),  who  is  responsible 
for  interim  FACNET  certification  for  the  DoD. 

Audit  Response.  We  maintain  that  testing  is  still  needed  at  the  contracting 
office  level.  We  also  agree  with  DISA  that  the  Defense  agency  or  Military 
Department  with  authority  over  the  contracting  office  should  play  a  role  in  the 
certification  process.  As  a  result  of  the  DISA  comments,  we  revised  the  draft 
recommendations  to  encourage  cooperation  and  coordination  with  the  respective 
Military  Departments  and  Defense  agencies,  and  we  redirected  the 
recommendations  to  the  Deputy  Under  Secretary  of  Defense  (Acquisition 
Reform),  who  is  designated  as  the  certifying  official  for  implementation  of 
interim  FACNET  for  the  DoD.  We  request  the  Deputy  Under  Secretary 
(Acquisition  Reform)  provide  comments  to  the  revised  recommendations  by 
January  24,  1997. 
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Part  II  -  Additional  Information 


Appendix  A.  Scope  and  Methodology 


Scope  of  Audit.  We  judgmentally  selected  for  our  review  13  of  157 
contracting  offices  that  had  been  given  interim  FACNET  certification  as  of 
September  1995.  The  13  contracting  offices  include  4  Army,  3  Navy,  5  Air 
Force,  and  1  DoD  organization  contracting  office.  We  selected  those 
contracting  offices  from  the  following  three  geographical  areas  of  the 
continental  United  States:  east,  central,  and  west.  The  following  table  shows 
our  audit  coverage. 


Audit  Coverage 

Number  of  Contracting  Offices  Number  Reviewed 


Comnonent  With  Interim  FACNET  Certification 

During  Audit 

Army 

55 

4 

Navy 

25 

3 

Air  Force 

75 

5 

Defense  Commissary  Agency 

1 

1 

Defense  Intelligence  Agency 

_1 

_0 

Total 

157 

13 

Methodology.  At  each  site  visited,  we  examined  supporting  documentation 
dated  January  1995  through  September  1995  for  the  interim  FACNET 
certifications  and  tested  capabilities  of  FACNET  transactions.  We  also  obtained 
statistics  on  the  number  of  transactions,  by  type,  that  each  of  the  contracting 
offices  had  sent  and  received  over  the  FACNET  for  the  period  July  1995 
through  February  1996.  We  also  reviewed  plans  and  procedures  that  the  DISA 
EC/EDI  Program  Management  Office  used  for  performing  technical 
certification  for  interim  FACNET  certification  and  examined  DoD  EC  Office 
supporting  documentation  dated  January  1995  through  September  1995  for 
interim  FACNET  certifications.  Appendix  C  lists  those  organizations  contacted 
during  the  audit. 

Audit  Period,  Standards,  Locations.  We  performed  this  economy  and 
efficiency  audit  from  November  1995  through  April  1996.  The  audit  was  made 
in  accordance  with  auditing  standards  issued  by  the  Comptroller  General  of  the 
United  States  as  implemented  by  the  Inspector  General,  DoD.  The  audit  did  not 
rely  on  computer-processed  data  or  statistical  sampling  procedures. 


Appendix  A.  Scope  and  Methodology 


Management  Control  Program 


DoD  Directive  5010.38,  "Internal  Management  Control  Program,"  April  14, 
1987,  requires  DoD  organizations  to  implement  a  comprehensive  system  of 
management  controls  that  provides  reasonable  assurance  that  programs  are 
operating  as  intended  and  to  evaluate  the  adequacy  of  the  controls. 

Scope  of  Review  of  the  Management  Control  Program.  We  reviewed  the 
adequacy  of  Deputy  Under  Secretary  of  Defense  (Acquisition  Reform)  and 
DISA  management  controls  over  the  interim  FACNET  technical  certification. 
We  also  assessed  the  adequacy  of  management's  self-evaluation  of  those 
controls. 

Adequacy  of  Management  Controls.  We  identified  a  material  management 
control  weakness,  as  defined  by  DoD  Directive  5010.38,  relating  to  interim 
FACNET  technical  certifications.  Deputy  Under  Secretary  of  Defense 
(Acquisition  Reform)  and  DISA  management  controls  for  interim  FACNET 
technical  certification  were  not  adequate  to  ensure  that  interim  FACNET 
certified  contracting  offices  had  the  capability  of  meeting  requirements  for 
interim  FACNET  certification.  The  recommendations,  if  implemented,  will 
establish  management  controls  to  ensure  that  the  interim  FACNET  technical 
certification  process  is  adequate  and  that  contracting  offices  are  capable  of 
sending  and  receiving  FACNET  transactions.  A  copy  of  this  report  will  be 
provided  to  the  senior  official  in  charge  of  management  controls  for  FACNET. 

Adequacy  of  Management's  Self  Evaluation.  Deputy  Under  Secretary  of 
Defense  (Acquisition  Reform)  and  DISA  officials  did  not  identify  the  interim 
FACNET  technical  certification  as  an  assessable  unit  and,  therefore,  did  not 
identify  or  report  the  material  management  control  weaknesses  identified  by  the 
audit. 
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Appendix  B.  Summary  of  Prior  Audits  and 
Other  Reviews 


We  identified  one  General  Accounting  Office  report  that  dealt  with  the 
FACNET  program.  Additionally,  the  Inspector  General,  DoD,  has  issued 
four  reports  about  FACNET. 


General  Accounting  Office 


General  Accounting  Office  report,  GAO/T-NSIAD/AIMD-95-190, 
"Implementation  of  the  Federal  Acquisition  Streamlining  Act  of  1994,"  July  20, 
1995,  reported  that  Government- wide  standards  for  protecting  the  security  of 
sensitive  procurement  information  were  not  yet  defined.  The  report  made  no 
recommendations . 


The  Inspector  General,  DoD 


Report  No.  96-129,  "Audit  of  DoD  Implementation  of  Electronic  Commerce  in 
Contracting  for  Small  Purchases,"  was  issued  on  May  24,  1996.  The  review 
identified  a  series  of  issues  involved  in  the  implementation  of  electronic 
commerce  within  DoD.  The  issues  include:  realization  of  the  "single  face  to 
industry"  concept,  adequacy  of  the  transmission  of  data  by  the  DoD  FACNET 
infrastructure,  implementation  of  security  controls,  level  of  vendor 
participation,  adequacy  of  management  controls  for  FACNET  transactions,  and 
adequate  development  of  FACNET  implementation  plans.  This  report  contains 
no  findings  or  recommendations. 

Report  No.  96-214,  "Audit  of  Computer  Security  for  Electronic  Data 
Interchange  and  Electronic  Commerce  Program,"  was  issued  on  August  22, 
1996.  The  audit  objective  was  to  evaluate  procedures  of  data  security, 
continuity  of  operations,  transaction  audit  trails,  personnel  security,  and 
compliance  with  security  requirements  of  small  purchases  made  through  the 
FACNET  electronic  commerce  and  electronic  data  interchange  program.  The 
report  recommends  that  DISA  approve  a  plan  and  establish  milestones  for 
implementing  digital  signatures  and  data  encryptions  for  the  FACNET  system 
and  limit  use  of  FACNET  transactions  that  require  signatures  until  DISA 
obtains  digital  signatures  capabilities;  develop  backup  procedures  for  the 
FACNET  gateways  that  include  storage  of  critical  data  at  an  off-site  location; 
develop  continuity-of-operations  plans  for  the  gateways;  and  enhance  network 
security  by  implementing  a  firewall  protection  mechanism  and  by  ensuring  that 
FACNET  complies  with  controlled  access  protection  requirements.  DISA 
concurred  with  the  draft  report  recommendation,  stating  that  DISA  either  has 
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Appendix  B.  Summary  of  Prior  Audits  and  Other  Reviews 


implemented  or  plans  to  implement  corrective  actions.  However,  DISA 
requested  the  redirection  of  two  recommendations  to  the  Deputy  Under 
Secretary  of  Defense  (Acquisition  Reform)  pertaining  to  digital  signatures  and 
encryption. 

Report  No.  96-172,  "Audit  of  Certification  Management  of  Value-Added 
Networks,"  was  issued  on  June  21,  1996.  The  overall  audit  objective  was  to 
determine  the  adequacy  of  the  value-added  network  certification  process  and  of 
the  management  and  oversight  of  value-added  networks.  The  report 
recommends  that  DISA  issue  policy  requiring  enforcement  of  compliance  with 
the  Federal  Acquisition  Regulation  section  9.104,  "Contractor  Qualifications," 
to  include  establishing  a  system  for  evaluating  business  qualifications  such  as  a 
weighted  procedure  or  point  system;  issue  policy  of  monitoring  value-added 
networks  for  compliance  with  the  value-added  network  license  agreement;  and 
expedite  the  completion  and  issuance  of  the  new  value-added  network  license 
agreement.  DISA  partially  concurred  with  the  draft  report  recommendations. 
The  comments  stated  that  DISA  either  has  implemented  or  plans  to  implement 
each  of  the  recommendations.  Also,  DISA  has  procedures  regarding  contractor 
responsibility  that  are  in  accordance  with  the  Federal  Acquisition  Regulation 
requirements  and,  therefore,  DISA  does  not  see  a  need  to  revise  current 
procedures  to  determine  contractor  responsibility  in  accordance  with  the  Federal 
Acquisition  Regulation. 

Report  No.  96-057,  "Audit  of  DoD  Use  of  Electronic  Bulletin  Boards  in 
Contracting,"  was  issued  on  January  8,  1996.  The  report  states  that  the  use  of 
bulletin  boards  by  DoD  procurement  offices  to  conduct  small  purchase 
transactions  was  not  a  major  impediment  to  FACNET  implementation.  Bulletin 
boards  served  as  an  interim  solution  that  enabled  procurement  offices  to  conduct 
electronic  commerce  until  FACNET  becomes  fully  operational.  Procurement 
officials  were  not  investing  significant  resources  to  establish  new  bulletin  boards 
or  to  upgrade  existing  capabilities,  and  the  officials  were  committed  to  phasing 
out  the  use  of  bulletin  boards  when  FACNET  becomes  fully  operational.  The 
report  contains  no  findings  or  recommendations. 
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Appendix  C.  Organizations  Visited  or  Contacted 


Office  of  the  Secretary  of  Defense 

Under  Secretary  of  Defense  for  Acquisition  and  Technology 

Deputy  Under  Secretary  of  Defense  (Acquisition  Reform),  Washington,  DC 
Assistant  Secretary  of  Defense  (Command,  Control,  Communications,  and 
Intelligence),  Washington,  DC 


Department  of  the  Army 

Assistant  Secretary  of  the  Army  (Research,  Development,  and  Acquisition), 
Washington,  DC 

U.S.  Army  Military  District  of  Washington,  Fort  McNair,  Washington,  DC 
Fort  Belvoir,  Alexandria,  VA 
U.S.  Army  Forces  Command,  Fort  McPherson,  GA 
U.S.  Army  I  Corps,  Fort  Lewis,  WA 
U.S.  Army  Medical  Command,  Fort  Sam  Houston,  TX 
Madigan  Army  Medical  Center,  Tacoma,  WA 


Department  of  the  Navy 

Assistant  Secretary  of  the  Navy  (Financial  Management  and  Comptroller), 
Washington,  DC 

Assistant  Secretary  of  the  Navy  (Research,  Development  and  Acquisition), 
Washington,  DC 

Naval  Supply  Systems  Command,  Washington,  DC 
Fleet  Industrial  Supply  Center,  San  Diego,  CA 
Naval  Surface  Warfare  Center,  Port  Hueneme,  CA 
Naval  Undersea  Warfare  Center,  Keyport,  WA 


Department  of  the  Air  Force 

Assistant  Secretary  of  the  Air  Force  (Financial  Management  and  Comptroller), 
Washington,  DC 

Deputy  Assistant  Secretary  of  the  Air  Force  (Contracting),  Washington,  DC 
Andrews  Air  Force  Base,  Camp  Springs,  MD 
Bolling  Air  Force  Base,  Washington,  DC 
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Appendix  C.  Organizations  Visited  or  Contacted 


Department  of  the  Air  Force  (cont'd) 

Brooks  Air  Force  Base,  San  Antonio,  TX 
Charleston  Air  Force  Base,  Charleston,  SC 
San  Antonio  Air  Logistics  Center,  San  Antonio,  TX 


Other  Defense  Organizations 

Defense  Commissary  Agency,  Fort  Lee,  VA 
Defense  Information  Systems  Agency,  Arlington,  VA 


Appendix  D.  Report  Distribution 


Office  of  the  Secretary  of  Defense 

Under  Secretary  of  Defense  for  Acquisition  and  Technology 
Deputy  Under  Secretary  of  Defense  (Acquisition  Reform) 

Director,  Defense  Procurement 
Under  Secretary  of  Defense  (Comptroller) 

Deputy  Chief  Financial  Officer 
Deputy  Comptroller  (Program/Budget) 

Assistant  Secretary  of  Defense  (Command,  Control,  Communications,  and  Intelligence) 
Assistant  to  the  Secretary  of  Defense  (Public  Affairs) 

Director,  Defense  Logistics  Studies  Information  Exchange 


Department  of  the  Army 

Assistant  Secretary  of  the  Army  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Army 


Department  of  the  Navy 

Assistant  Secretary  of  the  Navy  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Navy 


Department  of  the  Air  Force 

Assistant  Secretary  of  the  Air  Force  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Air  Force 


Other  Defense  Organizations 

Director,  Defense  Commissary  Agency 
Director,  Defense  Contract  Audit  Agency 
Director,  Defense  Information  Systems  Agency 
Director,  Defense  Logistics  Agency 
Director,  National  Security  Agency 

Inspector  General,  National  Security  Agency 
Inspector  General,  Defense  Intelligence  Agency 
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Non-Defense  Federal  Organizations 

Federal  Electronic  Commerce  Acquisition  Program  Management  Office,  General 
Services  Administration 

Office  of  Federal  Procurement  Policy,  Office  of  Management  and  Budget 
Secretariat,  Federal  Electronic  Data  Interchange,  National  Institute  of  Standards  and 
Technology 

Small  Business  Administration 

Technical  Information  Center,  National  Security  and  International  Affairs  Division, 
General  Accounting  Office 

Chairman  and  ranking  minority  member  of  each  of  the  following  congressional 
committees  and  subcommittees: 

Senate  Committee  on  Appropriations 

Senate  Subcommittee  on  Defense,  Committee  on  Appropriations 
Senate  Committee  on  Armed  Services 

Senate  Subcommittee  on  Acquisition  and  Technology,  Committee  on  Armed 
Services 

Senate  Committee  on  Governmental  Affairs 
House  Committee  on  Appropriations 

House  Subcommittee  on  National  Security,  Committee  on  Appropriations 
House  Subcommittee  on  Military  Procurement,  Committee  on  National  Security 
House  Committee  on  Government  Reform  and  Oversight 
House  Subcommittee  on  National  Security,  International  Affairs,  and  Criminal 
Justice,  Committee  on  Government  Reform  and  Oversight 
House  Committee  on  National  Security 
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Part  III  -  Management  Comments 


Defense  Information  Systems  Agency  Comments 


DEFENSE  INFORMATION  SYSTEMS  AGENCY 


701  S.  COURTHOUSE  ROAD 
ARLINGTON.  VIRGINIA  22204-2100 


IMWRy 

"w,'K>Tnspector  General 


1  4  AUG  1653 


MEMORANDUM  FOR  INSPECTOR  GENERAL,  DEPARTMENT  OF  DEFENSE 
ATTN:  Director,  Contract  Management 

SUBJECT:  DODIG  Report  on  DOD  Interim  Federal  Acquisition 

Computer  Network  Certifications 
(Project  No.  GCA- 00 13) 

Reference:  DODIG  Draft  Report,  subject  as  above,  17  Jun  96 

1.  The  Defense  Information  Systems  Agency  (DISA)  has  reviewed 
the  subject  report  and  partially  concurs  with  the  findings  and 
recommendations.  While  we  agree  that  some  type  of  testing  is 
required  before  a  system  is  declared  operational,  DISA  is  not  the 
authority  to  mandate  such  a  test.  DISA's  responsibility  is  to 
maintain  and  provide  accurate  listings  of  successful  DISA 
technical  certifications  and  to  provide  that  information  to  the 
Director,  Electronic  Commerce. 

2.  Our  detailed  management  comments  are  enclosed.  The  point  of 
contact  for  this  action  is  Ms.  Sandra  J.  Sinkavitch,  Audit 
Liaison,  (703)  607-6316. 

FOR  THE  DIRECTOR 


1  Enclosure  a/s 


Quality  Information  for  a  Strong  Defense 


Defense  Information  Systems  Agency  Comments 


COMMENTS  TO  DODIG  DRAFT  AUDIT  REPORT  ON 
DOD  INTERIM  FEDERAL  ACQUISITION  COMPUTER  NETWORK  CERTIFICATIONS 
(Project  No.  6CA-0013) 


1.  Conduct  technical  compliance  testing  at  each  contracting 
office  to  ensure  that  each  contracting  office  can  transmit 
transactions  required  for  interim  FACNET  certification  before 
providing  technical  certification  as  required  by  the  Federal 
Acquisition  Streamlining  Act  of  1994,  October  13,  1994. 

2 ,  Conduct  technical  compliance  testing  again  at  the  157 
contracting  offices  previously  certified  and  recertify  the 
contracting  offices  as  appropriate. 


RESPONSE :  Concur  in  Part  to  both  recommendations.  While  we  fully 
agree  that  some  type  of  testing  is  required  before  a  system  is 
declared  operational,  the  respective  Services/Agencies  are 
responsible  for  ensuring  their  Automated  Information  Systems 
(AIS)  are  compliant,  with  the  Department's/Government's  standards. 
As  the  individual  Service/Agency  AIS  and  sites  are  not  under 
DISA's  operational  control,  the  only  way  to  ensure  compliance 
with  established  standards  is  to  test  at  the  AIS  level, 

Compliance  testing  ensures  each  AIS  has  been  certified  using 
approved  Federal /DOD  Implementation  Conventions  (ICs)  for  all 
appropriate  Electronic  Commerce/Electronic  Data  Interchange 
(EC/EDI)  transaction  sets.  Certification  assures  the  AIS  is 
generating  American  National  Standards  Institute  (ANSI)  ASC  X12 
compliant  electronic  documents,  i.e.  transaction  sets.  Arguments 
throughout  the  findings  indicate  that  the  definition  of 
compliance  testing  is  misunderstood  as  well  as  DISA's  role  in  DOD 
Interim  Federal  Acquisition  Computer  Network  Certification. 

The  Deputy  Under-  Secretary  of  Defense  for  Acquisition  Reform 
(DUSD(AR) )  memorandum,  subject:  Certification  Process  for 
Interim  Federal  Acquisition  Computer  Network  (FACNET)  Compliance, 
dated  June  23,  1995,  outlined  DOD  standard  capabilities  that  must 
be  met  in  order  to  be  FACNET  certified.  Applications  must  show 
they  successfully  sent,  and  received  EDI  transactions  using  the 
DOD's  EC/EDI  Infrastructure  and  have  passed  compliance  testing 
against  approved  DOD  Implementation  Conventions  to  the  ANSI  ASC 
X12  standards  designated,  as  required  for  FACNET  compliance.  As 
specified  in  the  dusd(ar)  memorandum: 

"The  DISA  EC/EDI  [Program  office]  PO's  role  in  the  Certification 
Process  for  Interim  Federal  Acquisition  Computer  Network 
Compliance  is  achieved  when  the  following  two  technical 
requirements  are  met : 


Defense  Information  Systems  Agency  Comments 


1.  Tile  application  has  successfully  completed 
compliance  testing  through  the  DOD  Compliance  Test 
Facility  against  approved  DOD  ICs  to  X12  standards  for 
all  appropriate  transaction  sets. 

2.  The  site  has  successfully  deployed  the  application 
and  has  established  the  necessary  connectivity  to  the 
DOD  EC/EDl  Infrastructure  via  a  DISA  Gateway  and/or 
Network  Entry  Point." 

Prior  to  establishing  site  connectivity,  each  Service  and  Agency 
is  responsible  for  training  their  EDI  Site  Administrators  on  how 
to  use  the  new  EDI  Application  Interface.  The  Services  and 
Agencies  have  left  it  to  the  Site's  discretion  whether  to  use  the 
EDI  Application.  DISA  is  not  responsible  for  ensuring  usage. 

It  is  the  DISA  EC/EDI  Program  Office's  responsibility  to  maintain 
and  provide  to  the  Director  of  Electronic  Commerce  an  accurate 
list  of  the  contracting  offices  'which  have  successfully  achieved 
DISA  Technical  Certification. 

DISA's  Technical  Certification  Process  consists  of  the  following 
steps : 


Step  1  - 

Step  2  - 
Step  3  - 


Step  d  - 


Step  5  - 


Successfully  establish  connectivity  between 
Site/Gateway /Network  Entry  Point  (NEP1 
DISA  Compliance  Testing  Validation 
Gateways ,  through  the  Accountable  Site 
reporting  POC,  will  notify  by  E-mail  the 
Program  Office  of  which  sites  are  DISA 
Technical  Certified.  The  Accountable  Site 
reporting  POC  is  also  responsible  for 
notifying  the  NEP  when  sites  are  added  to 
Gateway/AIS  table 

Primary  POC  provides  Program  Office  the 
combined  Gateway-DISA  Certification  of  Site 
Data  Status  Chart 

Program  Office  provides  the  Director  of 
Electronic  Commerce  the  list  of  Contracting 
Offices  which  are  DISA  Certified 


GENERAL  COMMENT 

The  table  on  page  6  is  an  accurate  representation  of  interim 
FACNET  capabilities  at  the  time  of  the  audit.  Since  then,  DISA 
has  taken  the  necessary  steps  to  correct  the  DISA  Site 
Certification  List.  Sites  in  question  have  either  been  certified 
or  deleted  from  the  weekly  report. 
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